Canva Security Incident – May 24 FAQs

Incident Status Update

Page Updated January 17, 10:21 AEST

On the 11th of January 2020, Canva became aware of a list of approximately 4 million Canva accounts containing user passwords stolen as part of the May 24 breach. The passwords had been decrypted and recently shared online.

As unchanged passwords might be used to access Canva accounts , we responded immediately to restrict access to Canva logins, and commenced work to both invalidate unchanged passwords, and notify users with unencrypted passwords in the list.

What we know

It has been 7 months since malicious individuals gained access to our encrypted password data and made that information available on the internet. In that time it appears that they have been using their resources to try and crack those passwords. Approximately 4 million Canva accounts affected by the May 2019 incident have now had their passwords decrypted.

What is Canva doing about it?

Over the past 7 months, we have sent out a variety of communications informing our affected users how they can secure their accounts. If you have proactively changed your Canva password in that period then you will not need to change it again.

On 2020-01-12, we reset the passwords of all users who had not changed their password following 2019-05-24. These users will be required to change their password when they next log in to Canva. Because we are forcibly resetting passwords, we are also directly notifying recently active Canva users whose passwords have been reset.

We are also notifying those Canva users whose passwords appear to have been decrypted so that they can take steps to protect other accounts where the same password has been used.

What this means for our affected users

Affected users will be required to set a new password to continue using Canva. Please note that if your password has been reset, it does not mean that your account has been accessed by attackers. We are taking this precaution to protect your Canva account.

We apologize for any inconvenience caused, and thank you for your continued support and cooperation.

Sebastian WelshHead of Security, Canva

Page Updated August 10, 23:25 AEST

Some of our users have recently been notified by haveibeenpwned.com (HIBP) and Firefox Monitor of a security breach that occurred on the 24th May 2019. You can read more about the attack, how we responded, and what we did here.

The content of these notifications are accurate, and we’re grateful to HIBP and Firefox Monitor for the service they provide to the community.

For some people with Canva accounts it appears that this security notification has come as a surprise. This is regrettable. As part of our incident response, one of the first things we did was to try to contact affected users via email and through in-app alerts.

The HIBP notification has led some users to ask if their passwords were compromised. The simple answer is no. What was accessed was individually salted and bcrypt-hashed passwords. For non-technical users, this is like a super-secure one-way door that converts your password into something that is incredibly hard to convert back into the original password, even with the strongest computers.

The way we store passwords makes password guessing incredibly difficult but it’s not impossible, and it’s easier if you have easy-to-guess passwords, such as password1, 123456! or Alex1997. So to protect our users on Canva, and elsewhere, we’ve requested all our users to change their passwords on Canva, and anywhere else they’ve used the same password. To help all our users avoid this risk, we’ve partnered with 1Password to offer one year of free access to their password manager service, as well as implemented stronger password checks within Canva.

Since the incident, we’ve introduced a number of internal changes to protect your data. Working closely with leading cyber security consultancy, Mandiant and other partners, we’ve identified the extent of the attack and the causes of it, and made changes to our systems to build an additional layer of protection for our users. We’ll be providing a postmortem of the incident in due course, but in the meantime if you have any further questions, or would like to learn more about the measures we’ve taken to ensure your data is secure on Canva, please feel free to reach us at[email protected].

June 1, 10:13 AEST

Following an investigation with cyber security experts, we now have a better understanding of the impact of the attack and want to provide as much context as we can to our community.

On Friday 24th May 2019, we detected a malicious attack on our systems, which we stopped as it was occurring. Our first response was to lock down Canva, then notify authorities and users that the breach had occurred. Because the intruder was interrupted mid-attack they also took a different tactic to most security incidents and tweeted about the attack, which required a rapid communication response.

Since then we have worked with cyber security experts and authorities, such as the FBI, to help protect our users, and are communicating the latest information below.

What did the attacker do?

They accessed information from our profile database for up to 139 million users. The profile database contains usernames, names, email addresses, country, and optionally, user-supplied data about their city and/or homepage URL which was available through their public profile.

They accessed cryptographically protected passwords (these were individually salted and hashed with bcrypt) for any of those users with username/password logins.

They claimed to have obtained OAuth login tokens for users who signed in via Google. Our OAuth tokens are encrypted with AES128 and the encryption keys are securely stored elsewhere. We have found no evidence they downloaded the OAuth tokens or tried to access the keys.

They briefly viewed files with partial credit card and payment data. We found no evidence these files were stolen. Files contained partial credit card data from before September 28, 2016 (name, expiry date, last 4 digits, card brand and card country), and payment histories from before September 16, 2017 that contained transaction dollar amounts, dates, and IDs for some payments for users and contributors. These limited card details cannot be used for payments. Canva never stores full credit card details.

Designs and images are securely stored in seperate systems. There has been no indication that any user designs or images have been accessed.

What is Canva doing about it?

We continue to invest heavily in security. We intend to publish a technical post mortem of the incident once our investigations are complete. Our first priority, though, is to protect our users. Here’s what we’re doing:

Notifying our users: We want our users to know that they’ve been affected. We’ve directly contacted users via email, but some users have out-of-date or incorrect email details so we have also used in-app notifications and the press to alert users to the breach. We are following up on our initial notification with individual emails to each user outlining what data was accessed.

Prompting users to change passwords: We’ve asked all users who had passwords set before the attack to change them, and are adding rules to help users set stronger ones.

Resetting OAuth tokens: We’ve worked with our partners to make sure all active login tokens that existed prior to the breach are reset. These users will be prompted to reconnect their Canva account.

Coordinating with partners: We are working with partner agencies to share information about the attack, identify the risk to users, and coordinate responses. For example, we’re alerting the email abuse teams of major providers to make it harder for attackers to phish our users.

Partnering with 1Password: While we recommend that our users use different passwords for each site they use, we know that’s hard. We have partnered with 1Password to offer a year free to Canva users who don’t already use their service.

What can Canva users do?

Change your password: If you have a password on Canva and haven’t done so already, we are recommending that everyone change their password on Canva [https://www.canva.com/account/reset/], and if you used the same password on other sites you should change those too.

Report suspicious emails: As a precaution, we’re encouraging everyone to be wary of suspicious emails. Attackers often use creative methods to trick you into handing over your personal information. If you do receive any emails that you believe are suspicious, do not click on them and do not respond. We encourage you to flag them with your email provider.

Use a password manager: We recommend you use a password manager such as 1Password or Google Chrome to generate and remember a unique, secure password for each site you use.

Update your Google/Facebook login if we’ve disconnected it: If you sign in using Facebook or Google we may have reset your login. Just login again to get back into your Canva account.

Update your contact details: Once you have logged in to Canva, please add or update your contact details so we can always contact you about your account.

A final word

We are deeply sorry that this has happened. Everyone at Canva has been on the receiving end of updates like this, and at a personal level we know how upsetting it can be. We want to rebuild and regain the trust you have given us, and will work hard to earn it.